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Many  claim  that  the  security  model  developed  by  Bell  and  LaPadula  and  used  as  a  basis  for  numerous  pro¬ 
totype  military  computer  systems  is  superior  to  others  partly  because  its  authors  prove  a  "Basic  Security 
Theorem"  that  applies  to  it.  This  paper  shows  that  the  theorem  does  not  support  such  claims  since  it  can  be 
proven  for  security  models  that  are  obviously  not  secure.  Further,  the  theorem  provides  little  help  to  those 
who  design  and  implement  secure  systems. 

1.  Introduction 

The  security  model  developed  by  Bell  and  LaPadula  [1]  has  been  widely  used  as  a  basis  for  design¬ 
ing  systems  with  specified  security  properties  [2].  It  has  been  argued  that  one  reason  developers  should 
have  confidence  in  the  security  provided  by  systems  based  on  this  model  is  a  theorem,  called  the  "Basic 
Security  Theorem"  (BST)  [1,  p.  20],  proven  about  a  formalization  of  the  model  by  its  authors  [l.P-90, 
corollary  Al].  Several  authors  have  proven  similarly  named  theorems  about  related  security  models 
[3,4,5].  This  note  reviews  the  Bell-LaPadula  model  briefly  and  shows  that  the  BST  can  be  proven  for  sys¬ 
tems  that  directly  contradict  the  notion  of  security  embodied  in  the  Bell-LaPadula  model.  We  conclude 
that  the  value  of  the  BST  is  much  overrated  since  there  is  a  great  deal  more  to  security  than  it  captures. 
Further,  what  is  captured  by  the  BST  is  so  trivial  that  it  is  hard  to  imagine  a  realistic  security  model  for 
which  it  doesn’t  hold. 

2.  Bell-LaPadula  Model 

The  Bell-LaPadula  model  is  based  on  a  state  machine  in  which  subjects  apply  operations  (rules)  that 
may  require  access  to  objects.  The  state  of  the  system  includes  a  set  of  triples  that  define  the  current  access 
mode  each  subject  has  to  each  object  in  the  system.  Permissible  access  is  determined  partly  by  a  security 
level  (classification  or  clearance)  associated  with  each  object  and  subject.  These  security  levels  are  par¬ 
tially  ordered.  Each  subject  also  has  a  current  security  level  that  is  bounded  above  by  its  clearance.  There 
is  also  an  access  matrix  that  further  constrains  the  access  mode  an  arbitrary  subject  is  allowed  to  have  to  an 
arbitrary  object. 

The  following  formal  description  of  the  Bell-LaPadula  model  corresponds  to  the  original  notation  [1] 
as  closely  as  possible,  but  nonessential  details  are  omitted.  Consider  the  sets  S ,  O ,  and  A  whose  elements 
are  known  as  subjects ,  objects ,  and  access  modes ,  respectively.  Intuitively,  S  consists  of  all  system  users 
and  programs;  O  consists  of  all  system  files;  and  A  is  {read,  execute  ,write  ,append  },  the  set  of  all  modes 
in  which  an  element  of  S  can  have  access  to  an  element  of  O .  Bell  and  LaPadula  define  a  system  state  v 
as  an  element  of  V=(BxMxFxH),  where 

B  is  the  set  of  current  accesses,  a  subset  of  SxOxA  that  gives  the  access  modes  each  subject 
currently  has  to  each  object, 

M  is  the  access  permission  matrix,  where  MjjQA  is  the  set  of  access  modes  subject  i  may  have  to 
object  j , 

F  consists  of  the  three  functions  fs ,  which  gives  the  security  level  (clearance)  associated  with 
each  subject,  f„ ,  which  gives  the  security  level  (classification)  associated  with  each  object,  and 
fc,  which  gives  the  current  security  level  for  each  subject,  and 

H  defines  the  current  object  hierarchy  and  is  of  no  concern  here. 
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The  set  of  requests  (e.g. ,  to  acquire  or  rescind  access  to  objects)  is  denoted  by  R ,  and  the  set  of  decisions 
( e.g . ,  yes ,  no ,  error)  is  denoted  by  D .  Finally,  W  a  RxDxVxV  represents  the  actions  of  the  system:  a 
request  r  yields  a  decision  d  and  moves  the  system  from  state  v  to  its  successor. 

Let  T  be  the  set  of  positive  integers,  and  X,  Y,  and  Z  the  set  of  functions  from  T  to  R ,  D ,  and  V, 
respectively.  The  Bell-LaPadula  model  defines  a  system  T.(R  ,D  ,W,zo)  to  be  a  subset  of  XxYxZ  such  that 
(x  ,y  ,z. )  e  L(R  ,D  ,W,zo)  if  and  only  if  (xryt,Zt,Zt-\)  e  W  for  each  1  e  T,  where  zo  is  the  initial  state  of  the 
system.  Each  triple  (x  ,y  ,z. )  e  T.(R  ,D  ,W ,zo)  is  called  an  appearance  of  the  system,  and  each  quadruple 
(xt,yt,Zt,Zt- 1)  is  called  an  action  of  the  system. 

The  concept  of  a  secure  state  is  defined  by  three  properties:  the  simple  security  (ss)  property ,  the 
*-property,  and  the  discretionary  security  (ds)  property.  A  state  satisfies  the  ss-property  if,  for  each  ele¬ 
ment  of  B  that  has  an  access  mode  of  read  or  write ,  the  clearance  of  the  subject  dominates  (in  the  partial 
order)  the  classification  of  the  object.  A  triple  (s  ,o  ,x)  satisfies  the  simple  security  condition  relative  to  f 
(SSCrelfjifx  is  execute  or  append ,  or  if  x  is  read  or  write  and  fs  (s )  dominates  fa  {o ). 

A  state  satisfies  the  *-property  if,  for  each  (s  ,o  ,x)  in  B ,  the  current  security  level  of  s  is  equal  to  the 
classification  of  o  if  the  access  mode  is  write ,  dominates  the  classification  of  o  if  the  access  mode  is  read , 
and  is  dominated  by  the  classification  of  o  if  the  access  mode  is  append .  A  state  is  said  to  satisfy  the  *- 
property  relative  to  S',  where  S'  c  S .  if  this  condition  holds  for  all  triples  of  B  in  which  ,v  e  S'.  Subjects 
not  in  S'  (and  therefore  not  bound  by  the  *-property  relative  to  S')  are  called  trusted  subjects . 

A  state  satisfies  the  ds-property  if,  for  each  member  of  B ,  the  specified  access  mode  is  included  in 
the  access  matrix  entry  for  the  corresponding  subject-object  pair.  A  state  is  secure  if  and  only  if  it  satisfies 
the  ss-property,  * -property  relative  to  S'  and  the  ds-property. 

In  addition  to  restricting  subjects  from  having  direct  access  to  information  for  which  they  are  not 
cleared,  this  concept  of  security  is  intended  to  prevent  the  unauthorized  flow  of  information  from  a  higher 
security  level  to  a  lower  one.  The  *-property  relative  to  S '  specifically  prevents  nontrusted  subjects  from 
simultaneously  having  read  access  to  information  at  one  level  and  write  access  to  information  at  a  lower 

level. 

Bell  and  LaPadula  introduce  analogous  constraints  on  a  system.  A  system  appearance  (x,y,z)  e 
L(R  ,D  ,W,zo)  satisfies  the  ss-property  if  each  state  in  the  sequence  <z.o,z  i,  •  •  •  >  satisfies  it.1 2  A  system 
satisfies  the  ss-property  if  each  of  its  appearances  does.  Analogous  definitions  introduce  the  notions  of  a 
system  satisfying  the  *-  and  ds-properties  and  the  concept  of  a  secure  system  .  Theorems  Al,  A2,  and  A3 
[see  below],  for  the  ss-,  *-,  and  ds-properties  respectively,  show  that  a  system  T.(R.D  .W.sq)  satisfies  the 
property  in  question  for  any  initial  state  that  satisfies  the  property  if  and  only  if  W  (1)  adds  no  new  ele¬ 
ments  to  B  that  would  violate  the  property  and  (2)  deletes  any  elements  that,  following  the  state  change, 
would  violate  that  property.  The  BST  is  presented  without  proof  as  a  corollary  of  theorems  Al,  A2,  and 
A3: 

Basic  Security  Theorem:  A  system  L(R  .1)  ,W,zo)  is  secure  if  and  only  if  z.o  is  a  secure  state  and  W 
satisfies  the  conditions  of  theorems  Al,  A2,  and  A3  for  each  action.” 

3.  Basic  Security  Theorem  for  an  Alternative  Security  Model 

Suppose  that  a  different  set  of  properties  were  chosen  to  define  the  concept  of  a  secure  state.  If  the 
BST  is  indeed  a  basis  for  having  confidence  that  the  Bell-LaPadula  model  captures  the  desired  notion  of 
security,  then  it  should  not  be  possible  to  prove  a  comparable  theorem  for  a  security  model  that  has  a  sub¬ 
stantially  different  definition  for  "secure  state",  and  it  certainly  should  not  be  possible  to  prove  the  theorem 
for  a  security  model  that  is  obviously  not  secure.  The  example  below  shows  that  this  is  not  only  possible 
but  simple. 

Define  the  f -property  to  hold  for  a  state  if,  for  each  triple  (5 ,0 ,  write )  in  B ,  the  current  security  level 
of  s  dominates  the  classification  of  o .  This  is  in  essence  the  reverse  of  the  *-property  of  Bell-LaPadula 

1.  In  [1]  an  appearance  satisfies  the  ss-property  if  each  state  in  <Zi,z2>  *  *  '  >  satisfies  the  property;  no  restriction  is  placed 
on  Zo •  Nevertheless,  the  intent  is  clear  since  without  this  restriction,  the  BST  as  stated  in  [1]  is  false.  See  n.  2  below. 

2.  As  noted  in  n.  1  above,  this  theorem  as  presented  in  [1]  is  actually  false  since  it  is  possible  for  a  system  to  be  secure  even 
though  its  initial  state  is  not  secure. 
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and  allows  subjects  to  transfer  information  from  higher  security  levels  to  lower  security  levels.  Hence,  the 
model  is  not  secure  since  it  allows  secret  information  to  be  copied  into  unclassified  files,  e.  g. ,  the  Wash¬ 
ington  Post.  Define  a  secure  state  to  be  one  that  satisfies  the  ss-property,  f-property  and  the  ds-property. 
Following  Bell  and  LaPadula,  a  "Basic  Security  Theorem"  will  be  proven  as  a  corollary  from  three  other 
theorems. 

Theorem  Al:  T.(R  ,D  ,W  ,zo)  satisfies  the  ss-property  for  any  initial  state  z o  that  satisfies  the  ss-property  iff 
W  satisfies  the  following  conditions  for  each  action  (Rj  ,Dj  ,(b*  ,M*  ,/*  M ,/ ,//)): 

(i)  each(s,o,x)e  b*~b  satisfies  SSC rel/*; 

(ii)  if(s,o,x)e  b  does  not  satisfy  SSC  rel /*,  then  (s,o,x)  s'  b*. 

Proof:  Given  in  [1]. 

Theorem  A2 ’ :  Z(R,D,W,z o)  satisfies  the  f-property  relative  to  S a  subset  of  S ,  for  any  initial  state  zo 
that  satisfies  the  f-property  relative  to  S'  iff  W  satisfies  the  following  conditions  for  each  action 
(R,  ,Dj(b*  ,M*  ,/*  ,H*  ),(b  M ,/  ,//)): 

(i)  for  each  s  e  S',  any  (s  ,o  ,x)  e  b*~b  satisfies  the  f-property  with  respect  to/* ; 

(ii)  for  each  s  e  S ',  if  (s  ,o  ,x )  e  b  does  not  satisfy  the  f-property  with  respect  to  /* ,  then  (s  ,o  ,x )  s'  b* . 
[N.B.:  This  is  the  f-property  analogue  of  a  simplified  statement  of  the  original  theorem  A2.] 

Proof: 

(<-) 

Proof  by  strong  induction:  Assume  that  for  all  i  <n  Zi  satisfies  the  theorem  and  that  zn  satisfies  (i)  and  (ii). 
It  follows  that  zn  satisfies  the  f-property  as  can  be  seen  by  the  following  argument: 

If  n=  0  then  z.n  satisfies  the  f-property  by  hypothesis.  If  n  >0,  then  zn-i-  satisfies  the  f-property  by 
hypothesis.  The  only  way  zn  could  fail  to  satisfy  the  property  is  if  a  new  write  access  has  been 
granted  that  violates  the  property  with  respect  to  /*  or  if  an  old  write  access  is  kept  that  violates  the 
property  relative  to  /* .  But  the  former  possibility  is  ruled  out  by  (i)  and  the  latter  by  (ii). 

(-») 

Proof  by  contradiction:  Assume  that  some  state  z  satisfies  the  f-property  but  not  (i).  Then  there  is  an 
s  e  S’  such  that  (s  ,o  ,x)  is  in  b*~b  (and  hence  /?*),  but  fails  to  satisfy  the  f-property,  yielding  a  contrad¬ 
iction.  Similarly,  if  ^satisfies  the  f-property  but  fails  to  satisfy  (ii),  then  there  is  an  ,v  e  S’  such  that  (s  ,o  ,x ) 
is  in  b ,  fails  to  satisfy  the  f-property,  and  is  in  b*  as  well,  also  yielding  a  contradiction. 

Theorem  A3:  T.(R  ,D  ,W ,zo)  satisfies  the  ds-property  iff  the  initial  state  zo  satisfies  the  ds-property  and  W 
satisfies  the  following  condition  for  each  action  (/?,  ,Z),  ,(b*  ,M*  ,/*  ,H*),(b  ,M ,/ ,//)): 

(i)  if  ( SkOi,x )  e  b*~b ,  then  x  e  M'*\  i ; 

(ii)  if  (skpi,x)  e  b  and  x  e then  ( Sk,oi,x )  e ' b* . 

Proof:  Provided  in  [1], 

Basic  Security  Theorem:  T.(R  ,D  ,W ,zo)  is  a  secure  system  (i.  e.  satisfies  the  ss-,  f-,  and  ds-properties) 
iff  zo  is  a  secure  state  and  W  satisfies  the  conditions  of  theorems  Al,  A2  ,  and  A3  for  each  action. 

Clearly  this  exercise  could  be  repeated,  substituting  alternative  versions  of  either  of  the  other  security 
properties  (e.g.,  only  allowing  users  to  read  information  classified  above  their  clearances)  as  well. 

4.  Discussion 

We  have  shown  that  the  Basic  Security  Theorem  does  nothing  to  establish  that  a  system  is  really 
secure.  An  analogue  holds  for  any  definition  of  "secure  state"  in  a  system  whose  states  can  be  indexed  to 
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support  induction.  As  such,  it  is  a  property  of  state  indexing,  not  of  security. 

The  real  problems  to  be  dealt  with  in  considering  a  security  model  are  (1)  is  the  definition  of  "secu¬ 
rity"  offered  in  the  model  a  good  one,  i.  e.,  does  it  capture  what  we  really  mean  by  "security",  and  (2)  can 
we  prove  that  a  real  system  meets  the  definition.  The  first  problem  is  not  addressed  by  the  BST  since  it  is 
hard  to  imagine  an  explication  of  security  for  which  there  is  not  an  analogous  theorem,  and  the  second 
problem  is  not  made  any  simpler  by  the  BST  owing  to  the  uninformativeness  of  the  theorem’s  hypothesis. 

This  latter  point  deserves  emphasis.  It  may  seem  as  though  the  Basic  Security  Theorem  is  a 
significant  tool  in  that  it  provides  a  means  for  proving  security  of  every  reachable  system  state  by  only  con¬ 
sidering  the  initial  state  and  the  rules  that  transform  a  system  from  one  state  to  the  next.  However,  the 
triviality  of  the  tool  renders  it  all  but  useless.  Stripped  of  all  formalism,  the  theorem  states  that  if  a  system 
starts  in  a  secure  state  and  if  all  its  transitions  are  such  that  at  each  state  any  old  access  that  violates  secu¬ 
rity  under  the  new  state’s  clearance  functions  is  withdrawn  and  no  new  access  is  introduced  that  violates 
security,  then  the  system  will  remain  secure.  But  this  is  so  obvious  that  it  is  of  virtually  no  help. 

In  short,  the  theorem  does  not  address  the  real  problems.  Nevertheless,  the  theorem  has  been 
advanced  [1,3,6]  as  a  substantial  argument  in  favor  of  adopting  the  Bell-LaPadula  model  as  a  basis  for 
developing  secure  systems,  probably  because  people  have  confused  the  theorem  with  the  nontrivial  task  of 
proving  that  an  implementation  meets  the  conditions  of  a  given  security  definition.  What  is  perhaps  more 
damaging  is  that  every  new  explication  of  "security"  is  expected  to  be  accompanied  by  an  analogue  of  the 
BST  even  though  the  time  spent  proving  the  theorem  is,  as  should  be  clear  by  now,  wasted.  By  focusing  on 
the  theorem,  the  security  community  has  lost  track  of  what  needs  to  be  done. 

In  fairness  to  Bell  and  La  Padula,  they  do  not  seem  to  have  suggested  that  the  theorem  addresses  the 
above  problems.  They  merely  wanted  to  show  that  security  is  an  "inductive"  property,  unlike  (according  to 
them)  deadlock.  Given  the  previous  discussion,  it  should  be  obvious  that  an  analogue  of  the  theorem  holds 
for  deadlock  as  well.  In  any  event,  once  security  has  been  shown  to  be  inductive,  why  insist  on  proving  it 
over  and  over  again? 
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